openapi: 3.0.1
info:
  title: Auth API
  description: |
    # Backstage's auth-provider API.

    **Provided by `@backstage/auth-backend`.**

    The purpose of the Auth APIs in Backstage are to identify the user, and to provide a way for plugins
    to request access to 3rd party services on behalf of that user.

    The API is supplied with a list of providers - such as `Google` or `Github` - and will add the endpoints
    described below to each of those providers.

    Read more about [User Authentication and Authorization in Backstage](https://github.com/backstage/backstage/blob/master/docs/auth/overview.md).
  license:
    name: Apache 2.0
    url: http://www.apache.org/licenses/LICENSE-2.0.html
  version: 0.1.1-alpha.8
externalDocs:
  description: Backstage official documentation
  url: https://backstage.io/docs
servers:
  - url: http://localhost:7007/api/auth/
tags:
  - name: provider
    description: List of endpoints per provider
paths:
  /start:
    get:
      tags:
        - provider
      summary:
        Initializes the authorization flow and redirects to a consent screen for
        the provider
      description:
        The popup window is pointed to the `/start` endpoint of the auth
        provider in the auth-backend plugin, which then redirects to the OAuth
        consent screen of the provider.
      parameters:
        - name: scope
          in: query
          description:
            Scope requested for the auth session. The scope format and handling
            is specific to each provider
          required: true
          schema:
            type: string
            example: email
        - name: env
          in: query
          description: Parameter to indicate runtime environment
          required: true
          schema:
            type: string
            example: development
      responses:
        302:
          description: Redirect to the consent popup
          headers:
            Location:
              description: The url to the consent popup
              schema:
                type: string
            Set-Cookie:
              description: Nonce cookie
              schema:
                $ref: '#/components/schemas/Nonce-Cookie'
        default:
          description: An error occurred
  /frame/handler:
    get:
      tags:
        - provider
      summary: Handles the response from the consent popup for the provider
      description:
        If the login request is accepted, the popup window will be redirected
        back to the `/handler/frame` endpoint of the auth backend.
      parameters:
        - name: scope
          in: query
          description: Scope requested for the auth session
          required: true
          schema:
            type: string
            example: email
        - name: code
          in: query
          description: Short-term authorization code used to be exchanged for access tokens
          required: true
          schema:
            type: string
        - name: state
          in: query
          description: Nonce value stored in state
          required: true
          schema:
            type: string
        - name: provider-nonce
          in: cookie
          description: Nonce value stored in cookie
          required: true
          schema:
            type: string
        - name: env
          in: query
          description: Parameter to indicate runtime environment
          required: true
          schema:
            type: string
            example: development
      responses:
        200:
          description: Message received from consent popup
          content:
            application/json:
              schema:
                oneOf:
                  - $ref: '#/components/schemas/AuthResponse'
                  - $ref: '#/components/schemas/AuthError'
              examples:
                AuthResponse:
                  summary: AuthResponse
                  value: |
                    {
                      type: "auth-result",
                      payload: {
                          accessToken: "access-token",
                          idToken: "id-token",
                          expiresInSecond: 3600,
                          scope: "email"
                        }
                    }
                AuthError:
                  summary: AuthError
                  value: |
                    {
                      type: "auth-result",
                      error: {
                        name: "error",
                        message: "message",
                        stack: "stack"
                      }
                    }
          headers:
            Set-Cookie:
              description: Refresh cookie
              schema:
                $ref: '#/components/schemas/Refresh-Cookie'
  /refresh:
    get:
      tags:
        - provider
      summary: Handles refreshing of tokens due to reload or expiry
      description:
        If supported by the provider, the `/refresh` endpoint is responsible for
        refreshing the tokens using a refresh-token stored in a cookie
      parameters:
        - name: scope
          in: query
          description: Scope requested for the auth session
          required: true
          schema:
            type: string
            example: email
        - name: optional
          in: query
          description: Prevent the popup from being displayed
          schema:
            type: string
        - name: x-requested-with
          in: header
          description: X-Requested-With header preventing CSRF
          required: true
          schema:
            type: string
            example: 'x-requested-with: XMLHttpRequest'
        - name: provider-refresh-token
          in: cookie
          description: Refresh token used to refresh the current session
          required: true
          schema:
            type: string
      responses:
        200:
          description: Successfully refreshed the session
        401:
          description: Validation error
  /logout:
    post:
      tags:
        - provider
      summary: Logs user out of the current provider
      description:
        When logging out the current session is removed and if present the
        cookie containing the refresh token is also removed
      parameters:
        - name: x-requested-with
          in: header
          description: X-Requested-With header preventing CSRF
          required: true
          schema:
            type: string
            example: 'x-requested-with: XMLHttpRequest'
      responses:
        200:
          description: Successfully logged out
          headers:
            Set-Cookie:
              description: Refresh cookie
              schema:
                $ref: '#/components/schemas/Refresh-Cookie'
        401:
          description: Validation error
components:
  schemas:
    Nonce-Cookie:
      type: object
      properties:
        provider-nonce:
          type: string
        maxAge:
          type: integer
        secure:
          type: boolean
        sameSite:
          type: string
        domain:
          type: string
        path:
          type: string
        httpOnly:
          type: boolean
    Refresh-Cookie:
      type: object
      properties:
        provider-refresh-token:
          type: string
        maxAge:
          type: integer
        secure:
          type: boolean
        sameSite:
          type: string
        domain:
          type: string
        path:
          type: string
        httpOnly:
          type: boolean
    AuthResponse:
      type: object
      properties:
        type:
          type: string
        payload:
          type: object
          properties:
            accessToken:
              type: string
            idToken:
              type: string
            expiresInSeconds:
              type: number
            scope:
              type: string
    AuthError:
      type: object
      properties:
        type:
          type: string
        error:
          type: object
          properties:
            name:
              type: string
            message:
              type: string
            stack:
              type: string
